SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

WordPress 6.4.2 Patches Remote Code Execution Vulnerability

WordPress 6.4.2 patches a flaw that could be chained with another vulnerability to execute arbitrary code.

WordPress this week released a security update for the popular content management system (CMS) to address a remote code execution (RCE) vulnerability.

The flaw addressed in the open source CMS is a property oriented programming (POP) chain issue introduced in WordPress core 6.4. It can be combined with a different object injection flaw, allowing attackers to execute PHP code on vulnerable websites.

The bug was identified in a class that was introduced in WordPress 6.4 to improve HTML parsing in the block editor, the Wordfence team at WordPress security company Defiant explains.

The vulnerable class includes a function that is executed automatically after PHP has processed a request, and which uses properties that an attacker may have full control of.

“While WordPress Core currently does not have any known object injection vulnerabilities, they are rampant in other plugins and themes. The presence of an easy-to-exploit POP chain in WordPress core substantially increases the danger level of any Object Injection vulnerability,” Wordfence explains.

In its advisory, WordPress notes that the RCE flaw is not exploitable directly in core, but that, when combined with some plugins, it may pose a high risk.

Advertisement. Scroll to continue reading.

To resolve the issue, WordPress added a new method that prevents the vulnerable function from executing, thus preventing exploitation.

The RCE bug was patched in WordPress 6.4.2. Site owners and administrators are advised to update to the fixed CMS version as soon as possible.

While there are no indicators that the vulnerability is being exploited in malicious attacks, bugs in WordPress and associated plugins have long been an attractive target for threat actors.

“While most sites should automatically update to WordPress 6.4.2, we strongly recommend manually checking your site to ensure that it is updated,” Wordfence notes.

Related: Backdoor Malware Found on WordPress Website Disguised as Legitimate Plugin

Related: Recently Patched TagDiv Plugin Flaw Exploited to Hack Thousands of WordPress Sites

Related: Vulnerability in WordPress Migration Plugin Exposes Websites to Attacks

Related: Critical WordPress Plugin Vulnerabilities Impact Thousands of Sites

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

More from

Latest News

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Webinar: Why Email Security Keeps Failing (And What Has to Change)
July 8, 2026

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

Virtual Event: 2026 Cloud Security Summit
July 16, 2026

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Philip Martin has joined Uber as Chief Information Security Officer.

Fable Security has appointed Jacob Berry as Chief Information Security Officer.

iCOUNTER has named Ali Waezzadah as Chief Information Security Officer.

More People On The Move

Expert Insights

No Exploits Required

Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures.

Popular Topics

Security Community

Stay Intouch

About SecurityWeek

News Tips

Got a confidential news tip? We want to hear from you.

Submit Tip

Advertising

Reach a large audience of enterprise cybersecurity professionals

Contact Us

Daily Briefing Newsletter

Subscribe to the SecurityWeek Daily Briefing and get the latest content delivered to your inbox.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.